Use the newly-published channel for unattended upgrades

6 files changed, 69 insertions, 55 deletions

diff --git a/.guix-channel b/.guix-channel
index bc877b88..e62d9e75 100644
--- a/.guix-channel
+++ b/.guix-channel
@@ -6,7 +6,7 @@
  (url "git://lud.wg/~timo/guix-decls.git")
  (dependencies
   (channel
-   (name 'nonguix)
+   (name nonguix)
    (url "https://gitlab.com/nonguix/nonguix")
    (introduction
     (channel-introduction
diff --git a/tw/channels.scm b/tw/channels.scm
new file mode 100644
index 00000000..b9d243b8
--- /dev/null
+++ b/tw/channels.scm
@@ -0,0 +1,41 @@
+(define-module (tw channels)
+  #:use-module (gnu services)
+  #:use-module (gnu services base)
+  #:use-module (guix gexp)
+  #:use-module (guix modules))
+
+(define-public %system-channels
+  ;; Channel `tw' depends on `nonguix'.
+  ;; See also `.guix-channel' in this repo.
+  #~(cons* (channel
+            (name 'tw)
+            (url "git://lud.wg/~timo/guix-decls.git")
+            (branch "master")
+            (introduction
+             (make-channel-introduction
+              "f26d5f53db3ec351d5d44814b587f1c5f698b155"
+              (openpgp-fingerprint
+               "53EC 3C06 8568 83DD 9235  5BC2 2FC7 8504 681F 69B0"))))
+           %default-channels))
+
+;; Nonguix substitute server's signing key.
+;; From <https://substitutes.nonguix.org/signing-key.pub>.
+(define %nonguix-signing-key
+  (plain-file "nonguix-signing-key.pub" "\
+(public-key
+ (ecc
+  (curve Ed25519)
+  (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
+  )
+ )
+"))
+
+(define-public %system-channel-services
+  ;; The gaming channel (https://gitlab.com/guix-gaming-channels) is per-user only.
+  (list (simple-service 'nonguix guix-service-type
+          (guix-extension
+           (authorized-keys (list %nonguix-signing-key))
+           (substitute-urls '("https://substitutes.nonguix.org"))))
+
+        (extra-special-file "/etc/guix/channels.scm"
+                            (scheme-file "channels.scm" %system-channels))))
diff --git a/tw/home/lap.scm b/tw/home/lap.scm
index 2b3c848d..b42b8c4d 100644
--- a/tw/home/lap.scm
+++ b/tw/home/lap.scm
@@ -97,16 +97,15 @@
      ;; This can't be a `service' as that would remove the 'guix channel.
      (simple-service 'nonfree-channels home-channels-service-type
        (list
-        ;; Nonguix is also needed system-wide for non-free drivers!
-        (channel
-         (name 'nonguix)
-         (url "https://gitlab.com/nonguix/nonguix")
-         ;; Enable signature verification:
+        (channel  ; also pulls in nonguix
+         (name 'tw)
+         (url "git://lud.wg/~timo/guix-decls.git")
+         (branch "master")
          (introduction
           (make-channel-introduction
-           "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
+           "f26d5f53db3ec351d5d44814b587f1c5f698b155"
            (openpgp-fingerprint
-            "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
+            "53EC 3C06 8568 83DD 9235  5BC2 2FC7 8504 681F 69B0"))))
         (channel
          (name 'guix-gaming-games)
          (url "https://gitlab.com/guix-gaming-channels/games")
diff --git a/tw/system.scm b/tw/system.scm
index 9d53af73..00e81fd7 100644
--- a/tw/system.scm
+++ b/tw/system.scm
@@ -5,6 +5,7 @@
   #:use-module (gnu system)
   #:use-module (gnu system keyboard)
   #:use-module (guix gexp)
+  #:use-module (tw channels)
   #:use-module (tw services wireguard))
 
 (use-package-modules admin avahi certs curl disk file-systems linux lsof man
@@ -85,10 +86,10 @@
      (tw-wireguard-configuration
       (this-host host-name)))
 
-   ;; Delete the annoying message on SSH login.  Beware when setting up a new
-   ;; host, as `allow-empty-passwords' will block login and sudo execution for
-   ;; all Guix-declared users (as these have no initial password).
-   (modify-services %base-services
+   (modify-services (append %system-channel-services %base-services)
+     ;; Delete the annoying message on SSH login.  Beware when setting up a new
+     ;; host, as `allow-empty-passwords' will block login and sudo execution for
+     ;; all Guix-declared users (as these have no initial password).
      (login-service-type
       config =>
       (login-configuration
diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index 1bc722d4..e9df3abf 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -17,6 +17,7 @@
   #:use-module (nongnu packages scanner)
   #:use-module (nongnu system linux-initrd)
   #:use-module (nonguix licenses)
+  #:use-module (tw channels)
   #:use-module (tw services wireguard)
   #:use-module (tw system))
 
@@ -74,32 +75,6 @@ EndSection
    (keyboard-layout %british-keyboard)
    (extra-config (list touchpad-xorg-config))))
 
-(define system-channels
-  #~(begin
-      (use-modules (guix channels))
-      (cons* (channel
-              (name 'nonguix)
-              (url "https://gitlab.com/nonguix/nonguix")
-              ;; Enable signature verification:
-              (introduction
-               (make-channel-introduction
-                "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
-                (openpgp-fingerprint
-                 "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
-             %default-channels)))
-
-;; Nonguix substitute server's signing key.
-;; From <https://substitutes.nonguix.org/signing-key.pub>.
-(define nonguix-signing-key
-  (plain-file "nonguix-signing-key.pub" "\
-(public-key
- (ecc
-  (curve Ed25519)
-  (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)
-  )
- )
-"))
-
 (define set-timezone-script
   ;; Every time we connect to a network, get our timezone from network geolocation.
   ;; https://wiki.archlinux.org/title/System_time
@@ -372,13 +347,11 @@ support extra features (acr, pmu, gr).")
 
       (service unattended-upgrade-service-type
         (unattended-upgrade-configuration
-         (schedule "0 21 * * *")   ; every night at 21:00, when the laptop is turned on
-         (maximum-duration (* 40 60))   ; 40 minutes
-         (channels system-channels)
+         (schedule "0 21 * * *")       ; every night at 21:00, when the laptop is turned on
+         (maximum-duration (* 40 60))  ; 40 minutes to allow for slow downloads
+         (channels %system-channels)
          (operating-system-expression
-          #~(begin
-              (set! %load-path (cons "/home/timo/src/guix-decls" %load-path))
-              (@ (tw system lap) %lap-system)))
+          #~(@ (tw system lap) %lap-system))
          (services-to-restart
           ;; Anything that won't cause disruption when restarting.
           '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron))))
@@ -392,20 +365,10 @@ support extra features (acr, pmu, gr).")
                      (string-append #$(file-append util-linux "/sbin/fstrim")
                                     " --fstab --verbose"))))
 
-      ;; The nonguix channel is added to channels.scm as an `extra-special-file'.
-      ;; The gaming channel (https://gitlab.com/guix-gaming-channels) is per-user only.
-      (simple-service 'nonguix guix-service-type
-        (guix-extension
-         (authorized-keys (list nonguix-signing-key))
-         (substitute-urls '("https://substitutes.nonguix.org"))))
-
-      (extra-special-file "/etc/guix/channels.scm"
-                          (scheme-file "channels.scm" system-channels))
-
       (extra-special-file "/etc/NetworkManager/dispatcher.d/09-set-timezone"
                           (program-file "set-timezone" set-timezone-script))
 
-      (modify-services %desktop-services
+      (modify-services (append %system-channel-services %desktop-services)
         (gdm-service-type
          config =>
          (gdm-configuration
diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index 8dfbd2df..5b190756 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -1,12 +1,14 @@
 (define-module (tw system vin)
   #:use-module (gnu)
   #:use-module (gnu bootloader grub)
+  #:use-module (gnu services admin)    ; unattended-upgrade-service-type
   #:use-module (gnu services docker)
   #:use-module (gnu services dbus)
   #:use-module (gnu services desktop)  ; elogind-service-type
   #:use-module (gnu system locale)
   #:use-module (gnu system nss)
   #:use-module (guix gexp)
+  #:use-module (tw channels)
   #:use-module (tw services grafana)
   #:use-module (tw services restic)
   #:use-module (tw system))
@@ -111,6 +113,14 @@
       (service dbus-root-service-type)  ; required by `docker-service-type'
       (service elogind-service-type)    ; required by `docker-service-type'
 
+      (service unattended-upgrade-service-type
+        (unattended-upgrade-configuration
+         (schedule "22 07 * * sat")    ; 07:22 every Saturday morning
+         (maximum-duration (* 40 60))  ; 40 minutes to allow for slow downloads
+         (channels %system-channels)
+         (operating-system-expression
+          #~(@ (tw system vin) %vin-system))))
+
       (server-base-services host-name)))
 
     ;; The list of user accounts ('root' is implicit).